290 likes | 302 Views
Learn how Kill-Bots can help web servers survive and defend against organized DDoS attacks that mimic flash crowds, using methods like SYN cookies, CAPTCHAs, and Bloom filters. This solution provides security and efficiently divides resources between authentication and service.
E N D
Kill-BotsSurviving Organized DDoS Attacks That Mimic Flash Crowds Srikanth Kandula, Dina Katabi, Matthias Jacob and Arthur Berger Based on Srikanth Kandula’s Presentation Boris Korenfeldkorenf@post.tau.ac.il
20,000+ zombies issue requests that mimic legitimate browsing GET File.zip DO DBQuery CyberSlam www.foo.com Requests Look Legitimate Standard filters don’t help
Instances of CyberSlam First FBI DDoS Case – Hired professionals hit competitor Mafia extorts online gaming sites … Code RED Worm Why CyberSlam? Avoid detection by NIDS & firewalls High pay-off by targeting expensive resources E.g., CPU, DB, Disk, processes, sockets Large botnets are available CyberSlam Attacks Happen!
Tentative Solutions • No big consumers; Commodity OS do not support fine-grained resource accounting • Might not exist, expensive to check • Computation is abundant in a botnet • Filter big resource consumers? • Passwords? • Computational puzzles? ????
Kill-Bots is a kernel extension for web servers LOAD > L1 Suspected Attack Normal LOAD < L2 < L1 New Clients are authenticated once and given HTTP Cookie No Overhead
Reverse Turing Test (e.g., CAPTCHAs) to distinguish humans from zombies But…
3 Problems with CAPTCHA Authentication (2) Bias against users who can’t or won’t answer CAPTCHAs NO Can’t see it • (1) DDoS the authentication mechanism • (3)How to divide resources between service andauthentication as to maximize system goodput?
SYN SYNACK SYNACKACK Send CAPTCHA HTTP Request TCP FIN Authentication vulnerable to DDoS Problem 1: Client Server Standard Network Stack SYN Cookie Check cookie, socket, reserve buffers Causes context switch, buffer copies Resources are reserved till client sends a FIN but zombies don’t FIN
SYN SYNACK SYNACKACK Send CAPTCHA HTTP Request TCP FIN Problem 1: Authentication vulnerable to DDoS Modify network stack to issue CAPTCHAs without state Solution: Client Kill-Bots Server Modified Network Stack • Stateless & Cheap • Keep congestion control semantics • No browser mods. SYN Cookie Drop; Check cookie, send CAPTCHA without a socket!
Kill-Bots Token • When the Kill-Bots server issues a puzzle, it creates a Token. • Browser reports the answer to the server along with the Kill-Bots token. • Server verifies the token by recomputing the hash. • Server checks the Kill-Bots token to ensure the token was created no longer than 4 minutes ago. • Server checks if the answer to the puzzle is correct. • If all checks are successful, the server creates a Kill-Bots HTTP cookie and gives it to the user. • Cookie allows the user to re-enter the system for 30 minutes. • Each correctly answered graphical test allows the client to execute a maximum of 8 simultaneous HTTP requests.
Problem 2: Legit. Users who don’t answer CAPTCHA Solution: • Humans • Answer CAPTCHA • Reload; if doesn’t work, give up Use reaction to CAPTCHA Zombies Can’t answer CAPTCHA, but have to bombard the server with requests • Count the unanswered CAPTCHAs per IP, and drop if more than T; Cheap with a Bloom Filter Bloom Filter increase give captcha decrease correct ans. COUNTER
Stage 1: CAPTCHA Authentication Learn IP addresses of zombies using Bloom filter Stage 2: Use only Bloom filter for Authentication No CAPTCHAs Bloom Learns All Zombie IPs Users who don’t answer CAPTCHAs can access the server despite the attack in Stage 2
To Authenticate or To Serve? Authenticate all new arrivals can’t serve all authenticated clients Authenticate very few arrivals too few legitimate users are authenticated Problem 3: Solution: • Authenticate new clients with prob. (drop others) • But what maximizes goodput?
Analysis • Modeled system using Queuing Theory • Found Optimal *(proof in paper) • But * depends on many unknown parameters • attack rate • mean service time • mean session size • legitimate request rate, etc…
Solution to Problem 3: Kill-Bots adapts the authentication prob. by measuring fraction of time CPU is idle
Security Analysis • Socially-engineered attack: attackerforce their own visitors to solve CAPTCHAs before granting access. • Puzzles in Kill-Bots expire 4 minutes after they have been served. • Maximum of 8 simultaneous connections per cookie . • Polluting the Bloom Filter: attacker try to spoof his IP address and pollute the Bloom filter. • SYN cookies prevent IP spoofing and Bloom filter entries are modified after the SYN cookie check succeeds. • Breaking the CAPTCHA: automatic solving of simple CAPTCHAs. • Such programs are not available to the public for security reasons yet. • When one type of CAPTCHAs get broken, Kill-Bots can switch to a different kind.
Security Analysis • Copy attacks: attackersolves one graphical puzzle and distributes cookie to many zombies. • Maximum of 8 simultaneous connections per cookie. • Replay attacks: attacker replay the answer packet to obtain many Kill-Bots cookies. • If an adversary tries to replay a session cookie outside its time interval it gets rejected. • Same Token yields the same cookie. • Database attack: attackercollects all possible puzzles and the corresponding answers. • Kill-Bots uses a large number of puzzles and periodically replaces puzzles with a new set. • The space of all possible graphical puzzles is huge. • Building a database, distributing it to all zombies, and ensuring they can search it and obtain answers within 4 minutes is very difficult.
Metrics • Goodput (of Legitimate Users) • Response time (of Legitimate Users) • Maximum survivable attack rate
Kill-Bots under DDoS 5-10 times better Goodput and Response Time Goodput of Legit. (Mb/s) Attack Rate (Request/sec) Response Time (sec) Attack Rate (Request/sec)
Why Adapt the Authentication Probability? Server with adaptive authentication Server with authentication Base server Goodput of Legit. (Mb/s) Attack Rate (Request/sec) Adaptive is much better than authenticating every new user
Orders of magnitude better Response Time Flash Crowd Goodput of legit. (Mb/s) Response Time (sec) Time (sec)
Kill-Bots under Flash Crowd Adaptive provides admission control Flash Crowd Authentication Prob. Time (sec) Response Time (sec) Time (sec)
Kill-Bots under Flash Crowd Base Server Kill-Bots Number of dropped legitimate requests 360,000 80,000 Response Time (sec) Kill-Bots authenticates new clients only if it can serve them… Time (sec)
Kill-Bots’ Contributions • First to protect Web servers from DDoS attacks that mimic legitimate browsing • First to deal with CAPTCHA’s bias against legitimates users who don’t solve them • Sends CAPTCHA and checks answer without any server state • Addresses both DDoS attacks and Flash Crowds • Orders of magnitude better response time, goodput, and survivable attack rate
THANK YOU Boris Korenfeld korenf@post.tau.ac.il
Home Work Assignment • What are the differences between Stage1 and Stage2 in Kill-Bots? • What is the Kill-Bots modification to the Network Stack? • What problem the Admission Control solves? • What are the key components of Kill-Bots architecture? (in paper)